Risk Management with Stuart King and Duncan Hart

Sep 22 2007   8:00AM GMT

Salesforce.com – Is that the way we all go?

sking2 Profile: sking2

Tags:
Misc

Salesforce.com ushers in a new era of on-demand success with the industry’s first platform as a service (PaaS). With the Force.com platform, you can build any application, any database, any logic, and run it all on demand on our trusted, secure infrastructure. Now salesforce.com allows customers to create and run any application and even any user interface imaginable–all entirely on Force.com.

(Announcement made this week on Salesforce.com)

If you do not already know, Salesforce.com is the worldwide leader in on-demand customer relationship management (CRM) services. I’m not going to go into detail here and recommend that you spend some time browsing their website.

PaaS, and SaaS (Software as a Service) are exciting concepts. For an example of SaaS, look no further than Google Docs, a fully featured suite of office applications that allow you to create, edit and store your documents and spreadsheets without having to install any software packages on your own desktop. Now imagine if it was easy to build your own applications that also run on the Google platform. Potentially you could run everything you need for your business to function off of somebody elses resources. This is where Salesforce are heading, wanting to create a platform that anyone can build on, making it easy to integrate on-demand services and messaging features, create mash-ups, and develop custom applications to do just about anything.

Kendall Colins of Salesforce says “You can be anywhere in the world, log in, write code that saves on our servers, tests and runs on our servers, and share that anywhere in the world.”

It’s exciting stuff and I reckon it’ll catch on because, face it, where’s the fun in purchasing a disk-space and resource intensive operating system only to install onto it more diskspace and memory intensive applications that most people only use a small fraction of the functionaility of, when we could all be using zippy, lightweight systems that connect to online platforms where all the weight of the processing and storage requirements are taken care of?

So, what of security in the future business world where we no longer store our own data and rely totally on external service providers for availability of all our business functions? Will there ever be a time when we could move all our eggs to the PaaS basket.


There are certainly some barriers to the adoption of PaaS: security, compliance and privacy concerns will, I’m sure, hold growth in check to some degree while the “followers” learn the mistakes of the “early adopters”. However, I predict that as these concerns are addressed and competitive pressures mount, business will start to rapidly move to the on-demand, mix and match approach of PaaS.

We need to be careful not to repeat the same mistakes that usually get made whenever there’s a new flurry of innovation happening online. The same rules hold true: security must be a feature designed in from the ground up, developers must follow a secure SDLC, reliance and availability have to be guaranteed. Physical security, data encryption, user authentication, and application security are all essential elements.

PaaS providers won’t have any opportunity to relearn the rules because the day they suffer a data compromise or go offline will be the same day they go out of business. It’s a lesson that Salesforce already learnt early last year when they suffered an outage and demonstrated that SaaS was not yet ready at that time for the mission critical needs of enterprises.

In fact, as stated here Salesforce.com maintain their own computing infrastructure privately. They not only develop, sell, and service the application, but own and maintain the server and storage hardware on which the application runs. The point is made that it’s hard for any company to be great at two different businesses simultaneously so “it may have made sense for Salesforce to control its infrastructure when it was starting out” but will customers “be best served by the dual-focus strategy.”

I was thinking about the potential advantages of the PaaS model for the SME. There would be no more requirement to purchase, install and support complex software, much reduced real need for inhouse data storage and processing capabilities. Before you wave your finger in the air and warn about the consequences of data breaches, bear in mind that a PaaS provider like Salesforce.com will have the resources to be able to provide far more resilient and secure systems than the average SME ever could for itself. For that matter, probably better security than the average large enterprise too.

So, it will come down to being a matter of trust. Do we trust Salesforce.com and their competitors to be good guardians of our business? That’s for you all to decide. Personally, I believe the days of trying to run a mish-mash of conflicting, complex, expensive, and often unreliable systems on our own often unreliable networks are drawing to a natural end and that the SaaS and PaaS models are a natural evolution.

I’ve just been watching the Saleforce.com Dreamforce video that’s online here. It’s typical, over the top American conferencing but well worth watching. Quote “Business is like life….you need to know why you are here.” Love it!

4  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Duncan
    Hi Stuart, I agree wholeheartedly with your conclusions. But if PaaS and SaaS are to really work AND if organisations' want to be serious about security then people need to get real about assigning appropriate values to their information assets. At the end of the day organisations' need to understand what they're putting in the hands of the external service providers and also to ensure that they're not giving away the organisation's crown jewels. At the end of the day "business is the driver, and risk management is the navigator". (I've posted a similar message to David Lacey's blog.)
    0 pointsBadges:
    report
  • Michael
    Now that you have egg on your face with SF's data breach do you still think they will provide a better infrastructure and security? I work for a large corp (160,000 + employee's) and we have done site inspections of SF.com and they are haphazard and arrogant about there security and it has now been prove out. Own your data when it concerns your customers because SalesForce glossed over there breach but Suntrust suffered that should give everyone pause.
    0 pointsBadges:
    report
  • Stuart King
    Personally I think SF acknowledged and handled the "data breach" with honesty and consideration for their customers. They are a pioneering organisation and early adopters need to acknowledge the risk of being so. There's no egg on anyone's face - especially not mine because my organisation has been well aware of risk relating to SF that I, and others, had acknowledged early on and has taken well measured steps to ensure that they are mitigated.
    0 pointsBadges:
    report
  • Anon
    @Michael Learn English. It'll help.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: